YellowKey and GreenPlasma are separate issues, but they share the same lesson: once an attacker has physical access or an initial foothold, weak recovery paths and overprivileged components can turn a limited compromise into full system access.

YellowKey: BitLocker bypass

YellowKey is the name we are using for a BitLocker bypass path that weakens the protection BitLocker is supposed to provide after a device is offline. In practice, that kind of issue matters most when an attacker can get hands on a powered-off or suspended machine and manipulate the boot or recovery flow.

The main risk is not that BitLocker stops working everywhere. The risk is that a gap in the trust chain lets an attacker reach protected data without the normal unlock process.

GreenPlasma: local privilege escalation

GreenPlasma is a local privilege escalation issue. That means an attacker who already has code execution as a standard user can potentially move up to higher privileges, including administrative or SYSTEM-level access.

LPE bugs are especially useful to attackers because they often follow an initial compromise. A phishing payload, a weak remote shell, or another low-privilege entry point can become a full host takeover if the escalation path is reliable.

Why these issues matter together

These classes of bugs are dangerous for different reasons, but they often show up in the same incident chain.

A realistic sequence looks like this:

  1. Gain a low-privilege foothold.
  2. Use a local escalation flaw to raise privileges.
  3. Abuse the elevated context to tamper with security settings, dump secrets, or persist.
  4. If the machine is physically accessible, target the offline protections as well.

That is why BitLocker bypasses and LPEs deserve the same attention as remote code execution flaws. They may not be flashy, but they can be decisive.

What defenders should do

Keep device firmware and security features current, and test whether boot, recovery, and driver trust settings still behave as expected after updates. For endpoint fleets, pay close attention to:

  • Secure Boot and firmware configuration
  • BitLocker recovery and TPM-backed unlock behavior
  • Local admin sprawl
  • Untrusted or unsigned drivers
  • Rapid patching for kernel and service-level issues

Also assume that local privilege escalation bugs will eventually be chained with other access. Reducing the blast radius matters just as much as patching the flaw itself.

Bottom line

YellowKey is about the offline trust boundary. GreenPlasma is about the jump from user to administrator. Together they show how quickly a small weakness can become a full compromise when endpoint hardening is incomplete.